www.cendio.com
Bug 4003 - Support authentication using existing kerberos ticket
: Support authentication using existing kerberos ticket
Status: CLOSED FIXED
: ThinLinc
Client
: 3.2.0
: PC Unknown
: P2 Normal
: 4.1.0
Assigned To:
:
:
: 3183 4440
: 4572
  Show dependency treegraph
 
Reported: 2011-09-27 16:04 by
Modified: 2013-06-12 11:42 (History)
Acceptance Criteria:


Attachments


Note

You need to log in before you can comment on or make changes to this bug.


------- Comment #3 From cendio 2012-11-01 14:21:56 -------
See bug #4440 for the pre-study results. Time estimate includes:

1) Patching OpenSSH to dynamically load GSSAPI libraries on supported
platforms. This probably involves writing a communication layer to load the
appropriate libraries if available, and shuffle requests back and forth. This
layer could also be used to handle/translate SSPI requests on Windows.

2) Implementing the SSPI layer for Windows

3) Implementing the new functionality in the GUI

4) Documenting the new feature

5) Testing etc
------- Comment #4 From cendio 2012-11-01 14:32:27 -------
Some helpful links:

SSPI/Kerberos Interoperability with GSSAPI:
http://msdn.microsoft.com/en-us/library/ms995352.aspx

Kerberos/GSSAPI Support in OpenSSH
http://www.sxw.org.uk/computing/patches/openssh.html

Differences between Heimdal and MIT Kerberos API
http://web.mit.edu/kerberos/krb5-current/doc/krb_appldev/h5l_mit_apidiff.html

Developing with GSSAPI
http://web.mit.edu/kerberos/krb5-current/doc/krb_appldev/gssapi.html

Build and installation instructions for the NoMachine OpenSSH Win32 Port
http://www.nomachine.com/ar/view.php?ar_id=AR01J00621
------- Comment #5 From cendio 2012-12-06 09:44:14 -------
Step one: get the SSH client building with Kerberos support on all platforms. 

Initial Kerberos commit to build system done in r26286.
------- Comment #6 From cendio 2012-12-06 10:46:23 -------
Updated Solaris' sysroot on the build system with kerberos packages in r26287.
------- Comment #7 From cendio 2012-12-06 11:05:12 -------
r26288: Make sure the OS X sysroot provides krb5 (it already does)
r26289: Make sure that cendio-build-krb5 is now a dependency of the client
------- Comment #8 From cendio 2013-01-21 16:23:07 -------
r26432: Build OpenSSH with kerberos support, and provide a wrapper for loading
the GSSAPI libraries dynamically at runtime.
------- Comment #9 From cendio 2013-01-22 14:01:22 -------
r26442: Give correct paths for header files on Solaris, make sure that SSH
builds with kerberos support on Solaris in the absence of expected (Linux only)
libraries

r26443: In the absence of gssapi_generic on Solaris, make sure the correct
functions are defined.
------- Comment #10 From cendio 2013-01-22 15:08:25 -------
r26445: Use the correct extension when loading Apple's GSSAPI lib (.dylib not
.so)
r26446: Use the correct type when declaring GSS_C_NT_HOSTBASED_SERVICE on OS X
------- Comment #11 From cendio 2013-01-24 13:46:42 -------
r26452/26453: Initial commit for kerberos support in client GUI. Still need to
handle error conditions and logging etc
------- Comment #12 From cendio 2013-01-25 16:35:17 -------
We now need to implement some form of error handling. The error handling with
regards to kerberos authentication should have 2 main goals:

1) Log with sufficient detail to enable advanced troubleshooting for
administrators/support

2) Present simple error messages to the user for common
errors/misconfigurations

There are two levels of error message in our implementation; GSSAPI/SSPI
errors, and authentication mechanism errors (in our case, this means kerberos).
The problem is that we are dealing with potentially 4 different kerberos
implementations:

1) MIT Kerberos v5 (Linux, OS X < 10.7)
2) Heimdal Kerberos (OS X 10.7+)
3) Solaris' implementation (Solaris)
4) SSPI (Windows)

For any given error, some platforms provide an error code at GSSAPI level, some
at kerberos level. Moreover, the error code returned may differ across
platforms and kerberos implementations.

To satisfy goal 1), we should try to log specific error codes whenever
possible. GSSAPI error codes are defined in the GSSAPI header files, so we can
make use of those. For platform/implementation-specific authentication
mechanism error codes, we will need to define the most common ones ourselves.

To satisfy goal 2), we should see if it is possible to associate a
cross-platform set of error codes with a particular common scenario. For
example, a missing credentials cache gives the following error codes on the
following platforms:

Solaris: GSS_S_NO_CRED
Linux/OS X: KRB5_FCC_NOFILE

The next step is therefore to define a set of common error scenarios, and
determine the error codes which might indicate these across all platforms.
------- Comment #13 From cendio 2013-01-28 10:58:43 -------
Missing credentials cache
-------------------------
Linux:     KRB5_FCC_NOFILE
OS X 10.4: KRB5_FCC_NOFILE
OS X 10.8: KRB5_FCC_NOFILE
Solaris:   GSS_S_NO_CRED


Expired ticket
--------------
Linux:     KRB5KRB_AP_ERR_TKT_EXPIRED
OS X 10.4: KRB5KRB_AP_ERR_TKT_EXPIRED
OS X 10.8: GSS_S_CONTEXT_EXPIRED
Solaris:   KRB5_NO_TKT_IN_RLM


KDC Unresolvable
----------------
Linux:     KRB5_KDC_UNREACH
OS X 10.4: KRB5_TKT_NOT_FORWARDABLE
OS X 10.8: KRB5_KDC_UNREACH
Solaris:   KRB5_TKT_NOT_FORWARDABLE
------- Comment #14 From cendio 2013-01-29 15:31:53 -------
r26462: Create a function pointer map for assigning GSSAPI function pointers
more efficiently

r26465: Make sure we pass execution back to OpenSSH on error, to allow clean-up
and/or try alternative authentication methods
------- Comment #16 From cendio 2013-02-20 09:40:34 -------
OpenSSH now compiling for all platforms with kerberos support enabled (although
not yet implemented on Windows). TODO:

- Implement SSPI wrapper functions on Windows (win32-sspi)

- For consistency, include win32-sspi.h from openbsd-compat.h instead of
ssh-gss.h

- Investigate mktemp symbol conflict warnings on OSX build

- Investigate removing sed strings from ThinLinc client Makefile in favour of a
more portable solution during the OpenSSH configure stage

- Possibly check for win32-sspi before defining GSSAPI during configure on the
Windows build

- Check that we're not linking against any unnecessary/unsafe libs

- See if there are any fixes or enhancements which might be useful upstream
------- Comment #17 From cendio 2013-02-20 10:09:18 -------
(In reply to comment #16)
> - For consistency, include win32-sspi.h from openbsd-compat.h instead of
> ssh-gss.h

r26637
------- Comment #18 From cendio 2013-02-21 16:14:20 -------
Patch to get rid of extra libraries in ssh submitted upstream:

https://bugzilla.mindrot.org/show_bug.cgi?id=2072
------- Comment #19 From cendio 2013-02-21 16:18:53 -------
Patch for Solaris support also submitted upstream:

https://bugzilla.mindrot.org/show_bug.cgi?id=2073
------- Comment #20 From cendio 2013-03-13 14:45:10 -------
Two todos:

 a) The KERBEROS AUTH FAILED message should be removed and a failure should be
handled inside LAST AUTHMETHOD (the same way it's done for other authentication
methods).

 b) Also in LAST AUTHMETHOD, we need to detect when the server doesn't support
GSSAPI.
------- Comment #21 From cendio 2013-03-13 15:48:04 -------
gss_import name implemented in 26791.
------- Comment #22 From cendio 2013-03-20 08:49:15 -------
Initial commit of gss_init_sec_context done in r26825.

TODO:

- Implement expiry timestamp
- Sanity check of tokens returned from InitializeSecurityContext
- Check flags returned from InitializeSecurityContext
- Make sure that OpenSSH is getting everything it needs back from this function
call (ret_flags, time_rec etc)
- Check if we can handle other return codes from InitializeSecurityContext
- See if we can set some kind of sensible minor_code for this function
------- Comment #23 From cendio 2013-03-20 09:05:57 -------
Initial commit of gss_delete_sec_context done in r26826
------- Comment #24 From cendio 2013-03-22 10:26:39 -------
gss_release_buffer committed in r26836.
gss_get_mic committed in r26838
------- Comment #25 From cendio 2013-04-02 14:49:04 -------
(In reply to comment #20)
> Two todos:
> 
>  a) The KERBEROS AUTH FAILED message should be removed and a failure should be
> handled inside LAST AUTHMETHOD (the same way it's done for other authentication
> methods).
> 
>  b) Also in LAST AUTHMETHOD, we need to detect when the server doesn't support
> GSSAPI.

Done in r26880, r26881, r26887, r26888.
------- Comment #26 From cendio 2013-04-03 13:51:39 -------
gss_release_name committed as r26896 + r26897
gss_release_cred committed as r26898
------- Comment #27 From cendio 2013-04-04 13:31:42 -------
(In reply to comment #16)
> - Check that we're not linking against any unnecessary/unsafe libs

Done.

libnsl in r26908, r26909
libutil in r26910
libcrypt in r26916
------- Comment #28 From cendio 2013-04-11 08:47:07 -------
Initial commit of gss_display_status in r27025
------- Comment #29 From cendio 2013-04-11 09:36:57 -------
(In reply to comment #16)
> OpenSSH now compiling for all platforms with kerberos support enabled (although
> not yet implemented on Windows). TODO:
> 
> - Implement SSPI wrapper functions on Windows (win32-sspi)

Initial versions of all functions required by the SSH client now implemented.

> - Investigate mktemp symbol conflict warnings on OSX build

These are just warnings, and don't seem to affect things.

> - Investigate removing sed strings from ThinLinc client Makefile in favour of a
> more portable solution during the OpenSSH configure stage

This is part of a larger project, i.e. separating OpenSSH's linking into
client/server/tool portions. Not a priority right now.

> - Possibly check for win32-sspi before defining GSSAPI during configure on the
> Windows build

Not necessary if/when we commit upstream. 

> - See if there are any fixes or enhancements which might be useful upstream

This should be done last.
------- Comment #31 From cendio 2013-05-07 09:42:19 -------
GUI fixed in r27319
------- Comment #32 From cendio 2013-05-07 11:30:05 -------
Documentation added in r27320
------- Comment #33 From cendio 2013-05-07 13:04:35 -------
Kerberos authentication should now be working across all platforms. There are
potentially a few minor improvements which can be made (some extra debugging
messages etc), but I think the base functionality is sufficient enough that
this bug can be closed.
------- Comment #34 From cendio 2013-05-08 10:37:29 -------
The tlclient UI is too small in simple mode. It's going to crop the branding
image.
------- Comment #35 From cendio 2013-05-08 11:03:59 -------
(In reply to comment #34)
> The tlclient UI is too small in simple mode. It's going to crop the branding
> image.

r27343
------- Comment #36 From cendio 2013-05-08 14:25:12 -------
(In reply to comment #35)
> (In reply to comment #34)
> > The tlclient UI is too small in simple mode. It's going to crop the branding
> > image.
> 
> r27343

Improved in r27353.
------- Comment #37 From cendio 2013-06-04 15:10:35 -------
The gsswrap modification should be submitted upstream as well.
------- Comment #38 From cendio 2013-06-05 10:46:42 -------
Started with the worst case, a Windows KDC.

1. Set up a Windows 2012 AD DC
2. Joined a Fedora 19 machine (using realmd)
3. Had to set default realm in /etc/krb5.conf for some reason
4. Installed ThinLinc on said Fedora 19
5. Configured sshd to allow kerberos auth
6. Had to fill in .k5login since sssd was using decorated usernames
(LKPG\tluser or tluser@lkpg.cendio.se)
7. Configured agent hostname (or ssh would fail to find the proper realm)[1]


Tested with these clients:

- Windows 8, joined to the domain: OK
- Fedora 18, only fetched a ticket: OK
- Fedora 19, fully joined[2][3]: OK
- Solaris, only fetched a ticket: OK
- OS X 10.4, only fetched a ticket: OK
- OS X 10.8, only fetched a ticket: OK

Note 1: you can log in as either LKPG\tluser or tluser@lkpg.cendio.se in these
cases
Note 2: SELinux was on att all times during this



[1]: The fact that you have to configure agent_hostname is a bug IMO and we
should add a new bugzilla entry for it.
[2]: Had to reboot after join to be able to log in though
[3]: I got this funky principal which I had to add to .k5login:
tluser\@LKPG.CENDIO.SE@LKPG.CENDIO.SE
------- Comment #39 From cendio 2013-06-05 10:58:52 -------
Tested an expired ticket on Fedora 18. You need -d 5 to see what's happening:

2013-06-05T10:55:17: ssh[E]: NEXT AUTHMETHOD: gssapi-with-mic
2013-06-05T10:55:17: ssh[E]: debug1: Unspecified GSS failure.  Minor code may
provide more information
2013-06-05T10:55:17: ssh[E]: Ticket expired
2013-06-05T10:55:17: ssh[E]: 
2013-06-05T10:55:17: ssh[E]: debug1: Unspecified GSS failure.  Minor code may
provide more information
2013-06-05T10:55:17: ssh[E]: Ticket expired
2013-06-05T10:55:17: ssh[E]: 
2013-06-05T10:55:17: ssh[E]: debug1: Unspecified GSS failure.  Minor code may
provide more information
2013-06-05T10:55:17: ssh[E]: 
2013-06-05T10:55:17: Last line was repeated 1 time(s).
2013-06-05T10:55:17: ssh[E]: debug1: Unspecified GSS failure.  Minor code may
provide more information
2013-06-05T10:55:17: ssh[E]: Matching credential not found
2013-06-05T10:55:17: ssh[E]: 
2013-06-05T10:55:17: ssh[E]: debug1: No more authentication methods to try.
2013-06-05T10:55:17: ssh[E]: LAST AUTHMETHOD:
publickey,gssapi-keyex,gssapi-with-mic,password

(there was an expired TGT and an expired session key in the cache)

Best we can do for now. OK.
------- Comment #40 From cendio 2013-06-05 14:28:19 -------
Valid TGT, but unreachable KDC:

2013-06-05T13:23:02: ssh[E]: NEXT AUTHMETHOD: gssapi-with-mic
2013-06-05T13:23:02: ssh[E]: debug1: Unspecified GSS failure.  Minor code may
provide more information
2013-06-05T13:23:02: ssh[E]: Cannot contact any KDC for realm 'LKPG.CENDIO.SE'
2013-06-05T13:23:02: ssh[E]: 
2013-06-05T13:23:02: ssh[E]: debug1: Unspecified GSS failure.  Minor code may
provide more information
2013-06-05T13:23:02: ssh[E]: Cannot contact any KDC for realm 'LKPG.CENDIO.SE'
2013-06-05T13:23:02: ssh[E]: 
2013-06-05T13:23:05: ssh[E]: debug1: Unspecified GSS failure.  Minor code may
provide more information
2013-06-05T13:23:05: ssh[E]: 
2013-06-05T13:23:05: Last line was repeated 1 time(s).
2013-06-05T13:23:05: ssh[E]: AUTH FAILURE

Valid TGT and valid session ticket, but unreachable KDC: Works

Non-forwardable TGT: Works.
------- Comment #41 From cendio 2013-06-07 11:32:52 -------
Get a TGT from KDC #1, then switch to KDC #2:

2013-06-07T11:27:03: ssh[E]: NEXT AUTHMETHOD: gssapi-with-mic
2013-06-07T11:27:03: ssh[E]: debug1: Unspecified GSS failure.  Minor code may
provide more information
2013-06-07T11:27:03: ssh[E]: KDC returned error string: PROCESS_TGS
2013-06-07T11:27:03: ssh[E]: 
2013-06-07T11:27:03: ssh[E]: debug1: Unspecified GSS failure.  Minor code may
provide more information
2013-06-07T11:27:03: ssh[E]: KDC returned error string: PROCESS_TGS
2013-06-07T11:27:03: ssh[E]: 
2013-06-07T11:27:03: ssh[E]: debug1: Unspecified GSS failure.  Minor code may
provide more information
2013-06-07T11:27:03: ssh[E]: 
2013-06-07T11:27:03: Last line was repeated 1 time(s).
2013-06-07T11:27:03: ssh[E]: AUTH FAILURE

Get a TGT from KDC #2, then connect to a server associated with KDC #1:

2013-06-07T11:29:29: ssh[E]: NEXT AUTHMETHOD: gssapi-with-mic
2013-06-07T11:29:29: ssh[E]: AUTH FAILURE
2013-06-07T11:29:29: ssh[E]: debug1: Authentications that can continue:
publickey,gssapi-keyex,gssapi-with-mic,password
2013-06-07T11:29:29: ssh[E]: AUTH FAILURE
2013-06-07T11:29:29: ssh[E]: debug1: Authentications that can continue:
publickey,gssapi-keyex,gssapi-with-mic,password
2013-06-07T11:29:29: ssh[E]: AUTH FAILURE
2013-06-07T11:29:29: ssh[E]: debug1: Authentications that can continue:
publickey,gssapi-keyex,gssapi-with-mic,password
2013-06-07T11:29:29: ssh[E]: AUTH FAILURE
2013-06-07T11:29:29: ssh[E]: debug1: Authentications that can continue:
publickey,gssapi-keyex,gssapi-with-mic,password
2013-06-07T11:29:29: ssh[E]: debug1: No more authentication methods to try.
2013-06-07T11:29:29: ssh[E]: LAST AUTHMETHOD:
publickey,gssapi-keyex,gssapi-with-mic,password
------- Comment #42 From cendio 2013-06-07 16:05:57 -------
Works fine with the principal ☭@LKPG.CENDIO.SE (with a Windows KDC no less).

Tested with Fedora 18 and Windows 8.
------- Comment #43 From cendio 2013-06-10 14:34:43 -------
Fedora 19 server with a RHEL 6 KDC:

- Fedora 18: OK
- Solaris: OK
- OS X 10.4: OK
- OS X 10.8: OK
------- Comment #44 From cendio 2013-06-10 14:35:31 -------
Fedora 18 client against Fedora 19 server without GSSAPI:

Correctly tells the user that the server doesn't support Kerberos.
------- Comment #45 From cendio 2013-06-10 14:59:14 -------
Fedora 18 client, Solaris 10 server, RHEL 6 KDC: Works
------- Comment #46 From cendio 2013-06-11 19:59:11 -------
(In reply to comment #37)
> The gsswrap modification should be submitted upstream as well.

https://bugzilla.mindrot.org/show_bug.cgi?id=2121
------- Comment #47 From cendio 2013-06-12 11:34:29 -------
Everything tested and could not find anything that did not work as expected.
------- Comment #48 From cendio 2013-06-12 11:42:22 -------
For reference, see also bug #4681.